On 3/11/03 9:28 AM, "Mike Markowitz" <markowitz(_at_)infoseccorp(_dot_)com>
wrote:
[Incidentally, what we're talking about is PGP's importing X.509
certificates. It imports them as V3 keys. This is a meta-2440 issue, which
is why I never brought it up.]
Importing an RSA certificate as a V3 key doesn't exactly sound like
deprecation
to me.
Well, that depends entirely on your opinion of X.509, doesn't it? :-)
No, but humorously, folks, that's the main reason I said "effectively" --
it's the glaring exception.
Any chance this will be corrected in PGP8 the near future? (Converting
a cert into a V4 key with appropriate algorithm preferences is not that hard.)
Personally, I think this is a misfeature. However, I *understand* why it was
done that way. There are a whole host of little fiddly things about making
one into a V4 key that can be completely sidestepped by making it a V3.
There are so many of them that making it into a V4 key could be called "a
can of worms." Certainly, it would require a couple of design meetings.
(Example worm coming out of the can -- what if the X.509 cert has in its
basic constraints that it's an encryption-only key? 2440 says that a
top-level key must be capable of signing. Possible solutions include
ignoring the issue, and making that key a sub-key while generating a new
top-level key.)
I don't agree with making it a V3 key, but I know why it was done -- it was
expedient, and lots of good engineering is about expedience.
This is on the list of things to improve someday. Remember, though, that
every day an engineer is working on Feature X, they are not working on
Feature Y. If V3 keys are deprecated, it moves up in priority list.
Jon